Computer Forensics: File Deletion and Password Cracking Techniques, Exams of Nursing

A comprehensive overview of file deletion and password cracking techniques commonly used in computer forensics investigations. It explores how files are deleted in different windows operating systems, including fat and ntfs file systems, and the methods used to recover deleted files. The document also delves into various password cracking techniques, such as brute force, dictionary, and rainbow attacks, and discusses tools used for password recovery. It further examines anti-forensics techniques, including file deletion, steganography, and trail obfuscation, and highlights the importance of implementing countermeasures to combat these techniques. The document concludes with a discussion of tools and techniques for gathering information about logged-on users, open files, and network information.

Typology: Exams

2024/2025

Available from 12/31/2024

kelvin-smith-3
kelvin-smith-3 🇺🇸

1

(2)

3.5K documents

1 / 9

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CHFI PRACTICE EXAM Questions with
100% Verified Answers Latest Updates
2024 GRADED A+
Windows: When a user deletes a file, the OS does not actually delete the file, it - ✔✔marks the file name in the
Master File Table (MFT) with a special character. This character represents that the space once occupied by the
file is ready for use
FAT - The OS replaces the first letter of the deleted filename with - ✔✔E5H, Corresponding clusters of that file
are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be
recovered
Deleted files in NTFS - The OS marks the index field in the MFT with a special code. - ✔✔The computer now
looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be
recovered
Recycle Bin - ✔✔A place to store files that are marked for deletion. The exceptions are large files and files from
removable media
Setting Windows registry key
"HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 -
✔✔disables updating of the last-accessed timestamp
What Happens When a File is Deleted?
Windows 98 and earlier (FAT) - ✔✔- C:\Recycled (4GB limit
- Files are named Dxy.ext
o x is drive
o y is sequence number (0-??)
o ext is original extension
pf3
pf4
pf5
pf8
pf9

Partial preview of the text

Download Computer Forensics: File Deletion and Password Cracking Techniques and more Exams Nursing in PDF only on Docsity!

CHFI PRACTICE EXAM Questions with

100% Verified Answers Latest Updates

2024 GRADED A+

Windows: When a user deletes a file, the OS does not actually delete the file, it - ✔✔marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use FAT - The OS replaces the first letter of the deleted filename with - ✔✔E5H, Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered Deleted files in NTFS - The OS marks the index field in the MFT with a special code. - ✔✔The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered Recycle Bin - ✔✔A place to store files that are marked for deletion. The exceptions are large files and files from removable media Setting Windows registry key "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 - ✔✔disables updating of the last-accessed timestamp What Happens When a File is Deleted? Windows 98 and earlier (FAT) - ✔✔- C:\Recycled (4GB limit

  • Files are named Dxy.ext o x is drive o y is sequence number (0-??) o ext is original extension
  • For the first document file deleted on C: drive would be: Dc0.doc What Happens When a File is Deleted? Windows 2000, XP, NT (NTFS) - ✔✔- C:\Recycler\S- (based on windows SID) What Happens When a File is Deleted? Windows Vista, 7,8, and 10 - ✔✔- C:$Recycle.Bin
  • Files are named $Ry.ext o y is sequence number o ext is original extension
  • For the first document file deleted on C: drive would be: $R0.doc What Happens When a File is Deleted? When a user deletes a file or folder, the OS stores all the details of the file such as its complete path, including the original file name, - ✔✔in a special hidden file called "Info" or "Info2" in the Recycle Bin folder What Happens When a File is Deleted? In Windows newer than Vista and XP, the OS stores the complete path and file or folder name - ✔✔in a hidden file called INFO What Happens When a File is Deleted? INFO2 contains various details of deleted files such as: - ✔✔original file name, original file size, the date and time of deletion, unique identifying number, and the drive number that the file came from Privacy Eraser - ✔✔an anti-forensic solution to protect the privacy of the user by deleting the browsing history and other computer activities. The software implements and exceeds the US Department of Defense and NSA clearing and sanitizing standards, giving you the confidence that once erased, your file data is gone forever and can never be recovered Brute Force Attack - ✔✔the attacker tries every possible combination of characters until the correct password is found including using different hashes for encrypted passwords Dictionary Attack - ✔✔a file is loaded into the cracking application that runs against user accounts. The program

RainbowCrack - ✔✔A hash cracker. It uses a time-memory tradeoff algorithm to crack hashes. It pre-computes all possible plaintext- ciphertext pairs in advance and stores them in the "rainbow table" file PWdump7 - ✔✔An application that dumps the password hashes (OWFs) from NT's SAM database. It extracts LM and NTLM password hashes of local user accounts from the SAM database Fgdump - ✔✔Basically, a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines Bypass/reset BIOS password - ✔✔- manufacturer's backdoor password

  • password-cracking software (CmosPwd, DaveGrohl)
  • reset CMOS or remove battery
  • professional service - keyboard buffer overload Tools to Reset Admin Passwords - ✔✔Active@ Password changer, Windows Recovery Bootdisk, Windows Password Recovery Lastic Application Password Cracking - ✔✔Passware Kit, SmartKey, Advanced Office Password Recovery (all versions of Office), Office password recovery PDF password recovery - ✔✔PDF Password recovery, PDF Password Genius, SmartKey, Tenorshare, Guaranteed Steganography - ✔✔The art of hidden writing, has been in use for centuries. It involves embedding a hidden message in some transport or carrier medium and mathematicians, military personnel, and scientists have been using it Steganalysis - ✔✔The process of discovering the existence of the hidden information within a cover medium, it is the reverse process of steganography Steganalysis tools - ✔✔Gargoyle, StegAlyzerAS/RTS, StegExpose, StegAlyzerSS, Steganography Studio, Virtual Steganographic Lab (VSL), ImgStegano Buffer overflow attack - ✔✔attackers use this attack in order to inject and run code in the address space of a running program, thereby successfully altering the victim program's behavior Anti-forensics techniques include - ✔✔file deletion, password protection, steganography, trail obfuscation, artifact wiping, overwriting data/metadata, encryption, program packers, rootkits, exploiting forensics tool bugs,

etc Strictly implementing countermeasures against anti-forensics - ✔✔may enable an investigator to successfully deal with a case System Time - ✔✔The first step while investigating an incident is the collection of this Logged-on Users - ✔✔The next step after collecting system time is to determine who was and who currently is on a system Some of the tools and commands used to determine logged-on users - ✔✔PsLoggedOn net sessions LogonSessions PsLoggedOn - ✔✔displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one net sessions - ✔✔displays information about all logged in sessions of the local computer LogonSessions - ✔✔It lists the currently active logged-on sessions and, if you specify the - p option, it can provide you the information of processes running in each session Open Files - ✔✔Files that are currently in use, they are opened within the operating system The following applications let you gather information on open files - ✔✔net file PsFile Openfiles net file - ✔✔displays the names of all open shared files on a server and the number of file locks, if any, on each file. You can also close files and remove file locks PsFile - ✔✔a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files Openfiles - ✔✔This command queries or displays open files and also queries, displays, or disconnects files opened by network users

Pslist.exe - ✔✔displays basic information about the already running processes on a system, including the amount of time each process has been running. - x details about threads and memory, - t task tree, - d detail, - m memory, - e exact match for process name ListDLLs - ✔✔reports DLLs loaded into processes. Process name, Pid, Dll name, - r relocated, - u unsigned, - v version Handle - ✔✔displays information about open handles for any process. - a all types, - c close, - l sizes, - y no prompt,

  • s print count, - u username, - p processes, name Process Memory ProcDump - ✔✔monitor applications for CPU spikes and generating crash dumps during a spike so that an administrator or developer can determine the cause of the spike Process Dumper (PD) - ✔✔forensically dumps the memory of a running process Process Explorer - ✔✔shows the information about the handles and DLLs of the processes which have been opened or loaded PMDump - ✔✔a tool that lets you dump the memory contents of a process to a file without stopping the process. This tool is highly useful in forensic investigations Ipconfig - ✔✔Displays IP/MAC information about the interfaces on the system Print Spool Files - ✔✔These can be found at c:\windows\system32\spool\Printers Other volatile Information to collect - ✔✔Clipboard Contents, Service/Driver Information, Command History, Mapped Drive and Shares The system stores the information about shared files and folders in the following registry root key: - ✔✔HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Shares Important Registry Entries: - ✔✔ClearPageFileAtShutdown DisableLastAccess

ClearPageFileAtShutdown - ✔✔Will clear the page file at system shutdown; possibly deleting valuable data DisableLastAccess - ✔✔- Used to disable the updating of last access time on files

  • Can invoke using the "fsutil" command AutoRuns Tool - ✔✔Used to identify tasks or programs that run at startup or on a regular schedule DevCon or Device Console - ✔✔- is a command-line tool that displays detailed information about devices on computers running Windows operating system
  • can be used to enable, disable, install, configure, and remove devices Slack space - ✔✔the space generated between the end of the file stored and the end of the disk cluster Fsutil - ✔✔performs tasks related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume Microsoft Security ID - ✔✔refers to a unique identification number that Microsoft assigns to a Windows user account for granting the user access to a particular resource PsLogList - ✔✔Allows users to login to remote systems in situations when current set of security credentials would not permit access to the Event Log. It retrieves message strings from the computer on which the event log resides. It shows the contents of the System Event Log on the local computer and allows formatting of Event Log records Extensible Storage Engine (ESE) - ✔✔- A data storage technology from MS to store and retrieve data sequential access
  • This helps the server to store various files, messages etc. and access folders, text messages, attachments, etc. for email service provision
  • These files have the extension .edb and can provide valuable case evidences in forensic investigations
  • The database is in the form of a B-Tree structure and has a hexadecimal file signature Common artifact locations of Microsoft Edge include: - ESE database - ✔✔\Users \username\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxx xx\D BStore\spartan.eb